Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Does Gmail's Perpetual Window Play Fast, Loose With Data?

This fine piece in Wired about a "perpetual window into Gmail" caught my attention this weekend for two reasons.
First, I live in Gmail. It's my primary, personal email haven. Second, considering the data-sucking sounds Path made this month, the idea that Google has left open some potentially serious

This fine piece in Wired about a "perpetual window into Gmail" caught my attention this weekend for two reasons.

First, I live in Gmail. It's my primary, personal email haven. Second, considering the data-sucking sounds Path made this month, the idea that Google has left open some potentially serious paths to users' data is alarming.

Here's the rub: Oauth, the standard that lets users grant Web apps permission to connect to another without having to type in a user name and password every time, has made it so simple for users to federate access between Web services that people aren't preserving their privacy any longer.

With people connecting dozens of apps to their Google, Facebook and Twitter accounts, it opens up security risks.

Further reading

However, said Wired, Gmail is the worst transgressor. Services connected to Gmail via Oauth are issued a token that gives unlimited access to your complete Gmail history."

Updated: Thanks to Wired, I can trace the apps I gave permission to talk to my Google account Gmail account. Though Gmail isn't among my list, this still gives me a good idea of all the little tunnels I've potentially created for my Google account.

Now, it's not that I think these apps, many of which are also made by Google, will abuse my privacy or hijack my data for malicious purposes.

But as Wired sagely noted, some of these apps are built by college kids, part-time workers or even employees with less than honorable intentions:

"Any of these services becomes the weakest link to access the email for thousands of users. If one's hacked or the list of tokens leaked, everyone who ever used that service risks exposing his complete Gmail archive."

It sucks to think that I and so many others have opened dozens or hundreds of little vulnerabilities. I've They've inadvertently, though willingly for convenience sake, created dozens of paths for perpetrators to exploit to access their Gmail--if someone so desired.

If those apps they connect Gmail with are hacked, cracked, hijacked or otherwise misused ... well, there's their Gmail data for anyone to see. And they wouldn't ever even know about it if the perp was careful and devious enough.

I guess we should be grateful Google has a link next to each app that will let users revoke access for the app to Gmail. Users can also change their passwords to revoke Oauth token access.

Even so, it's a disturbing thought. Are you concerned, or is this overblown?